In-depth security news and investigation

Posts Tagged: Intego

Apple on Monday released a critical update to its version of Java for Mac OS X that plugs at least a dozen security holes in the program. More importantly, the patch mends a flaw that attackers have recently pounced on to broadly deploy malicious software, both on Windows and Mac systems.

Distribution of 550,000 Flashback-infected Macs. Source: Dr.Web.com

The update, Java for OS X Lion 2012-001 and Java for Mac OS X 10.6 Update 7, sews up an extremely serious security vulnerability (CVE-2012-0507) that miscreants recently rolled into automated exploit kits designed to deploy malware to Windows users. But in the past few days, information has surfaced to suggest that the same flaw has been used with great success by the Flashback Trojan to infect large numbers of Mac computers with malware.

The revelations come from Russian security firm Dr.Web, which reports that the Flashback Trojan has successfully infected more than 550,000 Macs, most which it said were U.S. based systems (hat tip to Adrian Sanabria). Dr.Web’s post is available in its Google translated version here.

Mac malware is back in the news again. Last week, security firm F-Securewarned that it had discovered a Trojan built for OS X that was disguised as a PDF document. It’s not clear whether this malware is a present threat — it was apparently created earlier this year — but the mechanics of how it works are worth a closer look because it challenges a widely-held belief among Mac users that malicious software cannot install without explicit user permission.

Image courtesy F-Secure.

F-Secure said the Mac malware, Trojan-Dropper: OSX/Revir.A, may be attempting to copy the technique implemented by Windows malware, which opens a PDF file containing a “.pdf.exe” extension and an accompanying PDF icon. F-Secure was careful to note that the payload installed by the dropper, Backdoor:OSX/Imuler.A, phones home to a placeholder page on the Web that does not appear to be capable of communicating back to the Trojan at the moment.

I wanted to understand a bit more about how this Trojan does its dirty work, so I contacted Broderick Aquilino, the F-Secure researcher who analyzed it. Aquilino said the sample is a plain Mach-O binary — which we’ll call “Binary 1”, that contains PDF file and another Mach-O binary (Binary2). Mach-O, short for Mach object, is a file format for executable files on OS X.

According to Aquilino, when you run Binary1, it will extract the PDF file from its body, drop it in the Mac’s temporary or “tmp” directory, and then open it. This is merely a decoy, as Binary1 continues to extract Binary2 from itself — also into the “tmp” directory — and then runs the file.

Upon execution, Binary2 downloads another binary from [omitted malware download site] and saves it as /tmp/updtdata. For the sake of continuity, we’ll call this latest file “Binary3.” Binary2 then executes and downloads the third binary, which opens up a backdoor on the OS X host designed to allow attackers to administer the machine from afar.

“All of this happens without the user needing to input their password,” Aquilino said.

A new version of the infamous Koobface worm designed to attack Mac OS X computers is spreading through Facebook and other social networking sites, security experts warn.

Security software maker Integosays this Mac OS X version of the Koobface worm is being served as part of a multi-platform attack that uses a malicious Java applet to attack users. According to Intego, the applet includes a prompt to install the malicious software:

Intego notes that if the download is allowed, “it runs a local web server and an IRC server, acts as part of a botnet, acts as a DNS changer, and can activate a number of other functions, either through files initially installed or other files downloaded subsequently. It spreads by posting messages on Facebook, MySpace and Twitter, usually trying to get people to click a link to view some sort of video.”

SecureMac also has a writeup on what appears to be the same threat, which it calls OSX.Boonana.a. SecureMac says that “there have been reports of similar behavior in recent trojan horses targeting Microsoft Windows, but they have not included cross-platform capabilities until now.”

It is not surprising that attackers would begin leveraging Java to attack Mac users with threats that have traditionally only menaced Windows users. My research shows that Java is now the leading vector of attacks against Windows systems, findings that recently were buttressed by oodles of attack data released by Microsoft. Also, Java was designed to be a cross-platform technology that would allow applications to run seamlessly regardless of the operating system relied upon by the user. It makes sense for attackers to consider Java as a platform-agnostic vehicle for delivering platform-specific malicious software.